PHP Remains Strong Despite Security Flaws

Over the course of May, the PHP community was hit with a barrage of more than 60 security issues. The security assault was all part of the Month of PHP Security (MOPS) effort, which disclosed the flaws.

But even after so many identified security issues in MOPS, PHP experts argue that the language is not necessarily insecure.

"Since none of the issues found were deemed as critical security issues, we don't consider any of them zero-day flaws," Andi Gutmans, CEO of PHP vendor Zend, told InternetNews.com.

Gutmans added that the vast majority of the flaws reported in PHP itself belong to a class of issues that requires local access to the server for the bug to be exploited. That would entail a scenario in which a developer is attacking his own server, which would have to be configured to permit access to run custom code.

"PHP was not designed to protect against such scenarios, and while it does some best-effort attempts to protect against casual hacking attempts, it doesn't pretend to promise bulletproof protection against untrusted developers with code access," Gutmans said. "As such, it's likely there are dozens of other similar issues in PHP, perhaps even more, and while we do consider them bugs, we don't consider them as critical security issues."

Rather, as a way to protect against privilege elevation, he recommends ensuring that security is properly configured at the operating-system level.

Among the reported MOPS issues are some that may be considered items that developer best practices can help to eliminate.

"PHP, like all development languages, is only as secure as the code people write in it," Gutmans said. "The main important thing developers have to know is that when they deploy a Web application -- whether it's written in PHP or in any other language -- they're deploying into a hostile world. It's therefore important for everyone to get security training."

His firm, Zend, is trying to help in the usage of secure PHP code through training and tutorials. It also provides templates for users of the IDE Zend Studio.

The most recent PHP release is PHP 5.3.2, which was a maintenance and bug fix update for PHP 5.3. Gutmans noted that future versions of PHP will contain fixes for most of the bugs found by MOPS, as well as many other unrelated fixes.

Overall Gutmans sees the PHP community as having made strides in security in recent years, though setting expectations remains critical.

"People should not expect PHP to be able to enforce security boundaries on a developer that has permissions to run custom PHP code," he said. "It's an inherently flawed scenario, and it's the wrong layer to protect in. People must rely on properly-configured OS-level permissions for securing against untrusted developers."

He also had kind words for the MOPS effort, which he praised for elevating the profile of PHP security throughout the community.

"The MOPS project does the PHP community a very positive service by raising awareness to security amongst PHP developers -- which is exactly what we think is the number one way to improve the track record of PHP security, especially PHP applications," Gutmans said. "In addition, the MOPS responsibly alerted the PHP project ahead of time regarding all the PHP-related issues, and presumably also alerted the various applications affected ahead of time too -- so we definitely view it as a positive event."